logo
Published on

Infostealer - sfx

Authors
  • avatar
    Name
    Mario Ritter
    Twitter

Introduction

Nowadays, cyber attacks are becoming increasingly sophisticated and their effects can be devastating. One of the most common tools used by attackers is infostealer - malware designed to steal sensitive information such as login credentials and cookies. In this article and accompanying video, I'll show you one of the many ways infostealer can infiltrate a system using a macro in a Word document.

What is an infostealer

Infostealer is a type of malware that focuses on stealing personal and sensitive information from an infected system. This type of malware is particularly dangerous because it can silently collect data and send it to the attacker without the victim's knowledge. Infostealers can be used to obtain login credentials, payment card information, cookies, browsing history, and other sensitive data.

Creation and deployment procedure

Creating an Infostealer

First, I created a simple infostealer that collects login credentials from Google Chrome. This tool is written in C# and when compiled, it turns into an executable (.exe). This file is designed to run silently in the background and send the collected information to a remote server.

Game preparation and SFX compilation

In the next step I linked the game Tetris2000.exe (by Overlans) with my infostealer using the WinRar SFX archive. This procedure allows you to create a self-extracting archive that contains both the game and the malicious code. To further increase the chances of a successful security bypass, I put it in a .cab archive, which I then packaged in .zip format. This procedure shows how legitimate software can be combined with malicious code without users immediately noticing.

Server settings for data collection

To capture the uploaded data, I used an AWS server running a simple web server built on Flask. This server is ready to receive and process POST requests containing zipped password file.

The attack itself

Once all the components were ready, the last step was to send a phishing email with an attached ZIP archive containing the game and infostealer. After opening or extracting the "Tetri.exe" file, the infostealer will automatically run in the background and start collecting login credentials. This data is immediately sent to the prepared web server. Once this is complete, the Tetris game itself is launched to mask malicious activity.

Video

Video description

In the video you can watch the whole process in practice. From downloading and extracting the archive, to checking the files with Microsoft Defender, to actually sending sensitive data to a remote server.

Statement

This attack was conducted exclusively in an isolated test environment on private accounts that were specifically created for this experiment. The goal of this article and video is not only to demonstrate the potential misuse of technology, but also to emphasize that no technology is 100% secure. It is therefore essential to use common sense and constantly consider the risks associated with using any software or system.

Disclaimer: Unauthorized tampering with someone else's system is illegal and criminal. All hacking activities should only be carried out with the express permission of the system owner and in accordance with applicable laws. This article does not serve as a guide for illegal activities, but as a warning and educational material to improve security.

Stay Kawaii and Hack the Planet!

kawaii
       /\_/\
      ( o.o )
       > ^ <

Due to lack of time translated via DeeplAI. sooooory :((

SHARE